S1Gh

**Name of the Vulnerable Software and Affected Versions** QuickBox Community Edition versions 2.5.5 and earlier QuickBox Pro Edition versions 2.1.8 and earlier **Description** The issue allows the local www-data user to execute sudo mysql without a password. This means the www-data user can execute arbitrary OS commands via the mysql -e option. **Recommendations** For QuickBox Community Edition versions 2.5.5 and earlier, update to a version where this issue is fixed. For QuickBox Pro Edition versions 2.1.8 and earlier, update to a version where this issue is fixed. As a temporary workaround, consider restricting the `www-data` user's access to the `mysql` command until a patch is available.